Configuring Objects

Objects are reusable components for use in your configuration. They can be defined and used in ASA configurations in the place of inline IP addresses. Objects make it easy to maintain your configurations because you can modify an object in one place and have it be reflected in all other places that are referencing it. Without objects you would have to modify the parameters for every feature when required, instead of just once. For example, if a network object defines an IP address and subnet mask, and you want to change the address, you only need to change it in the object definition, not in every feature that refers to that IP address.

This chapter describes how to configure objects, and it includes the following sections:

Information About Objects and Groups

The ASA supports objects and object groups. You can attach or detach objects from one or more object groups when needed, ensuring that the objects are not duplicated but can be re-used wherever needed.

Information About Objects

Objects are created in and used by the ASA in the place of an inline IP address in any given configuration. You can define an object with a particular IP address and netmask pair or a protocol (and, optionally, a port) and use this object in several configurations. The advantage is that whenever you want to modify the configurations created to this IP address or protocol, you do not need to modify all rules in the running configuration. You can modify the object, and then the change automatically applies to all rules that use the specified object. You can configure two types of objects: network objects and service objects. These objects can be used in Network Address Translation (NAT), access lists, and object groups.

Information About Object Groups

By grouping like objects together, you can use the object group in an ACE instead of having to enter an ACE for each object separately. You can create the following types of object groups:

Protocol

Network

Service

ICMP type

For example, consider the following three object groups:

MyServices—Includes the TCP and UDP port numbers of the service requests that are allowed access to the internal network.

TrustedHosts—Includes the host and network addresses allowed access to the greatest range of services and servers.

PublicServers—Includes the host addresses of servers to which the greatest access is provided.

After creating these groups, you could use a single ACE to allow trusted hosts to make specific service requests to a group of public servers.

You can also nest object groups in other object groups.

Licensing Requirements for Objects and Groups

The following table shows the licensing requirements for this feature:

Model

License Requirement

All models

Base License.

Guidelines and Limitations for Objects and Groups

This section includes the guidelines and limitations for this feature.

Object groups must have unique names. While you might want to create a network object group named “Engineering” and a service object group named “Engineering,” you need to add an identifier (or “tag”) to the end of at least one object group name to make it unique. For example, you can use the names “Engineering_admins” and “Engineering_hosts” to make the object group names unique and to aid in identification.

You cannot remove an object group or make an object group empty if it is used in a command.

The ASA does not support IPv6 nested object groups, so you cannot group an object with IPv6 entities under another IPv6 object group.

The icmp, tcp, or udp keywords specify that this service object is for either the ICMP, TCP, or UDP protocol.

The icmp-type argument names the ICMP type.

The icmp6 keyword specifies that the service type is for ICMP version 6 connections.

The icmp6-type argument names the ICMP version 6 type.

The source keyword specifies the source port.

The destination keyword specifies the destination port.

The operator port argument specifies a single port/code value that supports configuring the port for the protocol. You can specify “eq,” “neq,” “lt,” “gt,” and “range” when configuring a port for TCP or UDP. The “range” operator lists the beginning port and ending port.

Adding a Protocol Object Group

To add or change a protocol object group, perform the steps in this section. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command.

Defines the protocols in the group. Enter the command for each protocol. The protocol is the numeric identifier of the specified IP protocol (1 to 254) or a keyword identifier (for example, icmp, tcp, or udp). To include all IP protocols, use the keyword ip. For a list of protocols that you can specify, see the “Protocols and Applications” section.

Example

To create a protocol group for TCP, UDP, and ICMP, enter the following commands:

Adding a Network Object Group

A network object group supports IPv4 and IPv6 addresses.

To add or change a network object group, perform the steps in this section. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command.

Adding a Service Object Group

To add or change a service object group, perform the steps in this section. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command.

Detailed Steps

The object keyword adds an additional object to the service object group.

The grp_id is a text string up to 64 characters in length and can be any combination of letters, digits, and the following characters:

underscore “_”

dash “-”

period “.”

Specify the protocol for the services (ports) you want to add with either the tcp, udp, or tcp-udp keywords. Enter the tcp-udp keyword if your service uses both TCP and UDP with the same port number, for example, DNS (port53).

The prompt changes to service configuration mode.

Step 2

description texthostname(config-service)# description DNS Group

(Optional) Adds a description. The description can be up to 200 characters.

Adding an ICMP Type Object Group

To add or change an ICMP type object group, perform the steps in this section. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command.

Nesting Object Groups

You can nest object groups hierarchically so that one object group can contain other object groups of the same type and you can mix and match nested group objects and regular objects within an object group. The ASA does not support IPv6 nested object groups, however, so you cannot group an object with IPv6 entities under another IPv6 object-group.

To nest an object group within another object group of the same type, first create the group that you want to nest (see the “Configuring Object Groups” section), and then perform the steps in this section.

Adds the specified group under the object group you specified in Step 1. The nested group must be of the same type. You can mix and match nested group objects and regular objects within an object group.

Examples

Create network object groups for privileged users from various departments by entering the following commands:

Configuring Regular Expressions

A regular expression matches text strings either literally as an exact string, or by using metacharacters so that you can match multiple variants of a text string. You can use a regular expression to match the content of certain application traffic; for example, you can match a URL string inside an HTTP packet. This section describes how to create a regular expression and includes the following topics:

Creating a Regular Expression

A regular expression matches text strings either literally as an exact string, or by using metacharacters so you can match multiple variants of a text string. You can use a regular expression to match the content of certain application traffic; for example, you can match a URL string inside an HTTP packet.

Guidelines

Use Ctrl+V to escape all of the special characters in the CLI, such as question mark (?) or a tab. For example, type d[Ctrl+V]?g to enter d?g in the configuration.

See the regex command in the command reference for performance impact information when matching a regular expression to packets.

Note As an optimization, the ASA searches on the deobfuscated URL. Deobfuscation compresses multiple forward slashes (/) into a single slash. For strings that commonly use double slashes, like “http://”, be sure to search for “http:/” instead.

Matches any single character. For example, d.g matches dog, dag, dtg, and any word that contains those characters, such as doggonnit.

( exp)

Subexpression

A subexpression segregates characters from surrounding characters, so that you can use other metacharacters on the subexpression. For example, d(o|a)g matches dog and dag, but do|ag matches do and ag. A subexpression can also be used with repeat quantifiers to differentiate the characters meant for repetition. For example, ab(xy){3}z matches abxyxyxyz.

|

Alternation

Matches either expression it separates. For example, dog|cat matches dog or cat.

?

Question mark

A quantifier that indicates that there are 0 or 1 of the previous expression. For example, lo?se matches lse or lose.

Note You must enter Ctrl+V and then the question mark or else the help function is invoked.

*

Asterisk

A quantifier that indicates that there are 0, 1 or any number of the previous expression. For example, lo*se matches lse, lose, loose, and so on.

+

Plus

A quantifier that indicates that there is at least 1 of the previous expression. For example, lo+se matches lose and loose, but not lse.

Matches any character in the brackets. For example, [abc] matches a, b, or c.

[^ abc ]

Negated character class

Matches a single character that is not contained within the brackets. For example, [^abc] matches any character other than a, b, or c. [^A-Z] matches any single character that is not an uppercase letter.

Examples

Creating a Regular Expression Class Map

A regular expression class map identifies one or more regular expressions. You can use a regular expression class map to match the content of certain traffic; for example, you can match URL strings inside HTTP packets.

Where class_map_name is a string up to 40 characters in length. The name “class-default” is reserved. All types of class maps use the same name space, so you cannot reuse a name already used by another type of class map.

The match-any keyword specifies that the traffic matches the class map if it matches at least one of the regular expressions.

The CLI enters class-map configuration mode.

Step 3 (Optional) Add a description to the class map by entering the following command:

hostname(config-cmap)# descriptionstring

Step 4 Identify the regular expressions you want to include by entering the following command for each regular expression:

hostname(config-cmap)# matchregexregex_name

Examples

The following example creates two regular expressions, and adds them to a regular expression class map. Traffic matches the class map if it includes the string “example.com” or “example2.com.”

Information About Scheduling Access List Activation

You can schedule each ACE in an access list to be activated at specific times of the day and week by applying a time range to the ACE.

Licensing Requirements for Scheduling Access List Activation

The following table shows the licensing requirements for this feature:

Model

License Requirement

All models

Base License.

Guidelines and Limitations for Scheduling Access List Activation

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported in routed and transparent firewall modes.

IPv6 Guidelines

Supports IPv6.

Additional Guidelines and Limitations

The following guidelines and limitations apply to using object groups with access lists:

Users could experience a delay of approximately 80 to 100 seconds after the specified end time for the ACL to become inactive. For example, if the specified end time is 3:50, because the end time is inclusive, the command is picked up anywhere between 3:51:00 and 3:51:59. After the command is picked up, the ASA finishes any currently running task and then services the command to deactivate the ACL.

Multiple periodic entries are allowed per time-range command. If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and they are not further evaluated after the absolute end time is reached.

Configuring and Applying Time Ranges

You can add a time range to implement a time-based access list. To identify the time range, perform the steps in this section.